Land rapid7#5394, UUID registration and tracking

Author: Brent Cook

lib/msf/base/serializer/readable_text.rb

@@ -589,8 +589,11 @@ def self.dump_sessions_verbose(framework, opts={})
       sess_via     = session.via_exploit.to_s
       sess_type    = session.type.to_s
       sess_uuid    = session.payload_uuid.to_s
+      sess_puid    = session.payload_uuid.respond_to?(:puid_hex) ? session.payload_uuid.puid_hex : nil
+
       sess_checkin = "<none>"
       sess_machine_id = session.machine_id.to_s
+      sess_registration = "No"
 
       if session.respond_to? :platform
         sess_type << (" " + session.platform)
@@ -600,6 +603,13 @@ def self.dump_sessions_verbose(framework, opts={})
         sess_checkin = "#{(Time.now.to_i - session.last_checkin.to_i)}s ago @ #{session.last_checkin.to_s}"
       end
 
+      if session.payload_uuid.respond_to?(:puid_hex) && (uuid_info = framework.uuid_db[sess_puid])
+        sess_registration = "Yes"
+        if uuid_info['name']
+          sess_registration << " - Name=\"#{uuid_info['name']}\""
+        end
+      end
+
       out << "  Session ID: #{sess_id}\n"
       out << "        Type: #{sess_type}\n"
       out << "        Info: #{sess_info}\n"
@@ -608,6 +618,10 @@ def self.dump_sessions_verbose(framework, opts={})
       out << "        UUID: #{sess_uuid}\n"
       out << "   MachineID: #{sess_machine_id}\n"
       out << "     CheckIn: #{sess_checkin}\n"
+      out << "  Registered: #{sess_registration}\n"
+
+
+
       out << "\n"
     end
 

lib/msf/core/framework.rb

@@ -73,7 +73,7 @@ module Offspring
   require 'msf/core/plugin_manager'
   require 'msf/core/db_manager'
   require 'msf/core/event_dispatcher'
-
+  require 'rex/json_hash_file'
 
   #
   # Creates an instance of the framework context.
@@ -91,6 +91,7 @@ def initialize(options={})
     self.datastore = DataStore.new
     self.jobs      = Rex::JobContainer.new
     self.plugins   = PluginManager.new(self)
+    self.uuid_db   = Rex::JSONHashFile.new(::File.join(Msf::Config.config_directory, "payloads.json"))
 
     # Configure the thread factory
     Rex::ThreadFactory.provider = Metasploit::Framework::ThreadFactoryProvider.new(framework: self)
@@ -187,6 +188,12 @@ def version
   # unloading of plugins.
   #
   attr_reader   :plugins
+  #
+  # The framework instance's payload uuid database.  The payload uuid
+  # database is used to record and match the unique ID values embedded
+  # into generated payloads.
+  #
+  attr_reader   :uuid_db
 
   # The framework instance's db manager. The db manager
   # maintains the database db and handles db events
@@ -243,6 +250,7 @@ def threads?
   attr_writer   :jobs # :nodoc:
   attr_writer   :plugins # :nodoc:
   attr_writer   :db # :nodoc:
+  attr_writer   :uuid_db # :nodoc:
 end
 
 class FrameworkEventSubscriber

lib/msf/core/handler/reverse_http.rb

@@ -56,7 +56,8 @@ def initialize(info = {})
         OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
         OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]),
         OptBool.new('OverrideRequestHost', [ false, 'Forces clients to connect to LHOST:LPORT instead of keeping original payload host', false ]),
-        OptString.new('HttpUnknownRequestResponse', [ false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>'  ])
+        OptString.new('HttpUnknownRequestResponse', [ false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>'  ]),
+        OptBool.new('IgnoreUnknownPayloads', [false, 'Whether to drop connections from payloads using unknown UUIDs', false])
       ], Msf::Handler::ReverseHttp)
   end
 
@@ -153,6 +154,10 @@ def setup_handler
 
     print_status("Started #{scheme.upcase} reverse handler on #{listener_uri}")
     lookup_proxy_settings
+
+    if datastore['IgnoreUnknownPayloads']
+      print_status("Handler is ignoring unknown payloads, there are #{framework.uuid_db.keys.length} UUIDs whitelisted")
+    end
   end
 
   #
@@ -228,6 +233,21 @@ def on_request(cli, req, obj)
       conn_id = generate_uri_uuid(URI_CHECKSUM_CONN, uuid)
     end
 
+    # Validate known UUIDs for all requests if IgnoreUnknownPayloads is set
+    if datastore['IgnoreUnknownPayloads'] && ! framework.uuid_db[uuid.puid_hex]
+      print_status("#{cli.peerhost}:#{cli.peerport} (UUID: #{uuid.to_s}) Ignoring request with unknown UUID")
+      info[:mode] = :unknown_uuid
+    end
+
+    # Validate known URLs for all session init requests if IgnoreUnknownPayloads is set
+    if datastore['IgnoreUnknownPayloads'] && info[:mode].to_s =~ /^init_/
+      allowed_urls = framework.uuid_db[uuid.puid_hex]['urls'] || []
+      unless allowed_urls.include?(req.relative_resource)
+        print_status("#{cli.peerhost}:#{cli.peerport} (UUID: #{uuid.to_s}) Ignoring request with unknown UUID URL #{req.relative_resource}")
+        info[:mode] = :unknown_uuid_url
+      end
+    end
+
     self.pending_connections += 1
 
     # Process the requested resource.
@@ -374,7 +394,9 @@ def on_request(cli, req, obj)
         })
 
       else
-        print_status("#{cli.peerhost}:#{cli.peerport} Unknown request to #{req.relative_resource} #{req.inspect}...")
+        unless [:unknown_uuid, :unknown_uuid_url].include?(info[:mode])
+          print_status("#{cli.peerhost}:#{cli.peerport} Unknown request to #{req.relative_resource} with UA #{req.headers['User-Agent']}...")
+        end
         resp.code    = 200
         resp.message = "OK"
         resp.body    = datastore['HttpUnknownRequestResponse'].to_s

lib/msf/core/payload/php/reverse_tcp.rb

@@ -3,7 +3,7 @@
 
 require 'msf/core'
 require 'msf/core/payload/php/send_uuid'
-require 'msf/core/payload/uuid_options'
+require 'msf/core/payload/uuid/options'
 
 module Msf
 
@@ -16,7 +16,7 @@ module Msf
 module Payload::Php::ReverseTcp
 
   include Msf::Payload::Php::SendUUID
-  include Msf::Payload::UUIDOptions
+  include Msf::Payload::UUID::Options
 
   #
   # Generate the first stage
@@ -76,7 +76,7 @@ def generate_reverse_tcp(opts={})
 
     php << php_send_uuid if include_send_uuid
 
-    php << %Q^switch ($s_type) { 
+    php << %Q^switch ($s_type) {
 case 'stream': $len = fread($s, 4); break;
 case 'socket': $len = socket_read($s, 4); break;
 }
@@ -90,7 +90,7 @@ def generate_reverse_tcp(opts={})
 
 $b = '';
 while (strlen($b) < $len) {
-	switch ($s_type) { 
+	switch ($s_type) {
 	case 'stream': $b .= fread($s, $len-strlen($b)); break;
 	case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
 	}

lib/msf/core/payload/transport_config.rb

@@ -1,14 +1,14 @@
 # -*- coding: binary -*-
 
-require 'msf/core/payload/uuid_options'
+require 'msf/core/payload/uuid/options'
 
 ##
 # This module contains helper functions for creating the transport
 # configuration stubs that are used for Meterpreter payloads.
 ##
 module Msf::Payload::TransportConfig
 
-  include Msf::Payload::UUIDOptions
+  include Msf::Payload::UUID::Options
 
   def transport_config_reverse_tcp(opts={})
     config = transport_config_bind_tcp(opts)

lib/msf/core/payload/uuid_options.rb renamed to lib/msf/core/payload/uuid/options.rb

@@ -7,7 +7,7 @@
 #
 # This module provides datastore option definitions and helper methods for payload modules that support UUIDs
 #
-module Msf::Payload::UUIDOptions
+module Msf::Payload::UUID::Options
 
   include Rex::Payloads::Meterpreter::UriChecksum
 
@@ -17,6 +17,8 @@ def initialize(info = {})
       [
         Msf::OptString.new('PayloadUUIDSeed', [ false, 'A string to use when generating the payload UUID (deterministic)']),
         Msf::OptString.new('PayloadUUIDRaw', [ false, 'A hex string representing the raw 8-byte PUID value for the UUID']),
+        Msf::OptString.new('PayloadUUIDName', [ false, 'A human-friendly name to reference this unique payload (requires tracking)']),
+        Msf::OptBool.new('PayloadUUIDTracking', [ true, 'Whether or not to automatically register generated UUIDs', false]),
       ], self.class)
   end
 
@@ -31,7 +33,7 @@ def initialize(info = {})
   def generate_uri_uuid_mode(mode,len=nil)
     sum = uri_checksum_lookup(mode)
 
-    # The URI length may not have room for an embedded checksum
+    # The URI length may not have room for an embedded UUID
     if len && len < URI_CHECKSUM_UUID_MIN_LEN
       # Throw an error if the user set a seed, but there is no room for it
       if datastore['PayloadUUIDSeed'].to_s.length > 0 ||datastore['PayloadUUIDRaw'].to_s.length > 0
@@ -40,7 +42,11 @@ def generate_uri_uuid_mode(mode,len=nil)
       return "/" + generate_uri_checksum(sum, len, prefix="")
     end
 
-    generate_uri_uuid(sum, generate_payload_uuid, len)
+    uuid = generate_payload_uuid
+    uri  = generate_uri_uuid(sum, uuid, len)
+    record_payload_uuid_url(uuid, uri)
+
+    uri
   end
 
   # Generate a Payload UUID
@@ -66,7 +72,48 @@ def generate_payload_uuid
       conf[:puid] = puid_raw
     end
 
-    Msf::Payload::UUID.new(conf)
+    if datastore['PayloadUUIDName'].to_s.length > 0 && ! datastore['PayloadUUIDTracking']
+      raise ArgumentError, "The PayloadUUIDName value is ignored unless PayloadUUIDTracking is enabled"
+    end
+
+    # Generate the UUID object
+    uuid = Msf::Payload::UUID.new(conf)
+    record_payload_uuid(uuid)
+
+    uuid
+  end
+
+  # Store a UUID in the JSON database if tracking is enabled
+  def record_payload_uuid(uuid, info={})
+    return unless datastore['PayloadUUIDTracking']
+
+    uuid_info = info.merge({
+      arch: uuid.arch,
+      platform: uuid.platform,
+      timestamp: uuid.timestamp,
+      payload: self.fullname,
+      datastore: self.datastore
+    })
+
+    if datastore['PayloadUUIDSeed'].to_s.length > 0
+      uuid_info[:seed] = datastore['PayloadUUIDSeed']
+    end
+
+    if datastore['PayloadUUIDName'].to_s.length > 0
+      uuid_info[:name] = datastore['PayloadUUIDName']
+    end
+
+    framework.uuid_db[uuid.puid_hex] = uuid_info
+  end
+
+  # Store a UUID URL in the JSON database if tracking is enabled
+  def record_payload_uuid_url(uuid, url)
+    return unless datastore['PayloadUUIDTracking']
+    uuid_info = framework.uuid_db[uuid.puid_hex]
+    uuid_info['urls'] ||= []
+    uuid_info['urls'] << url
+    uuid_info['urls'].uniq!
+    framework.uuid_db[uuid.puid_hex] = uuid_info
   end
 
 end

lib/msf/core/payload/windows/reverse_http.rb

@@ -4,7 +4,7 @@
 require 'msf/core/payload/transport_config'
 require 'msf/core/payload/windows/block_api'
 require 'msf/core/payload/windows/exitfunk'
-require 'msf/core/payload/uuid_options'
+require 'msf/core/payload/uuid/options'
 
 module Msf
 
@@ -20,7 +20,7 @@ module Payload::Windows::ReverseHttp
   include Msf::Payload::Windows
   include Msf::Payload::Windows::BlockApi
   include Msf::Payload::Windows::Exitfunk
-  include Msf::Payload::UUIDOptions
+  include Msf::Payload::UUID::Options
 
   #
   # Register reverse_http specific options

lib/msf/core/payload/windows/x64/reverse_http.rb

@@ -4,7 +4,7 @@
 require 'msf/core/payload/transport_config'
 require 'msf/core/payload/windows/x64/block_api'
 require 'msf/core/payload/windows/x64/exitfunk'
-require 'msf/core/payload/uuid_options'
+require 'msf/core/payload/uuid/options'
 
 module Msf
 
@@ -20,7 +20,7 @@ module Payload::Windows::ReverseHttp_x64
   include Msf::Payload::Windows
   include Msf::Payload::Windows::BlockApi_x64
   include Msf::Payload::Windows::Exitfunk_x64
-  include Msf::Payload::UUIDOptions
+  include Msf::Payload::UUID::Options
 
   #
   # Register reverse_http specific options